Microsoft Intune Deduction Rules Use a Custom detection script

Microsoft Intune Deduction Rules Use a Custom detection script


In the dynamic landscape of device management, Microsoft Intune has risen as an influential solution, effectively enabling seamless application deployment across a diverse array of devices. This comprehensive guide is meticulously crafted to provide an insightful and in-depth exploration of Intune application deployment deduction rules. Within the following pages, we don’t merely scratch the surface – we plunge into the intricate intricacies of these rules, while concurrently charting a course through diverse strategies that ensure the efficient distribution of software.

Our unwavering focal point revolves around manual detection rules. However, this isn’t a singular endeavor; it’s complemented by a practical, hands-on illustration that involves the application of a custom PowerShell script for deployment. This real-world example comes to life through the deployment of the SentinelOne Agent, demonstrating its prowess in tackling the challenges posed by version-based detection.

With an open invitation extended, we encourage you to accompany us on this engaging expedition. Unveil the art of crafting deduction rules that orchestrate impeccable application management. “Microsoft Intune Deduction Rules Use a Custom Detection Script.” As we delve into the intricacies of device management, consider this your passport to mastering the nuanced dance of application deployment.

Process flow to add a Win32 app to Intune

The Challenge of Version-based Detection

Version control stands as a critical factor in upholding security, compatibility, and performance throughout the application deployment process. Yet, the dynamic nature of software updates introduces complexity into traditional detection methods.

Take, for instance, the SentinelOne Agent—an application frequently updated and residing in the C:\Program Files\SentinelOne\Sentinel Agent XX.X.X.XXX directory. With each update, a new version-specific folder is created, rendering conventional detection rules based on file structures inadequate.

A screenshot of a computer

Description automatically generated

Manual Detection Rules: The Solution

To surmount the challenges tied to version-based detection, the solution lies within the realm of manual deduction rules. These rules serve as a promising pathway forward. Among the spectrum of manual detection methods, a standout choice emerges custom PowerShell scripts. These scripts take on the role of a versatile and robust approach, granting you the ability to precisely ascertain the presence of an application, regardless of the intricacies tied to different versions.

Creating an Effective Deduction Rule with PowerShell

Let’s delve into the process of crafting a deduction rule that employs a custom detection script, using the SentinelOne Agent as our illustrative example for Microsoft Intune Deduction Rules.

Step 1: Crafting the PowerShell Script

Here’s a sample PowerShell script meticulously designed to serve as a deduction rule. Its primary purpose is to ensure that the installed SentinelOne Agent version aligns with the minimum requirement:

PowerShellCopy code
#Microsoft Intune Deduction Rules Use a Custom detection script 
#Sample PowerShell Script for SentinelOne Agent Deduction Rule
$minimumVersion = [version]""
$installedVersion = $null

# Check if Sentinel Agent is installed and retrieve its version
$installedApp = Get-WmiObject -Class Win32_Product | Where-Object { $_.Name -like "*Sentinel Agent*" }
if ($installedApp) {
    $installedVersion = [version]$installedApp.Version

# Compare the installed version with the minimum required version
if ($installedVersion -ge $minimumVersion) {
    Write-Host "Sentinel Agent is installed and meets version requirements."
    exit 0  # Success (Installed and meets version requirement)
} elseif ($installedVersion -ne $null) {
    Write-Host "Sentinel Agent is installed, but the version is below the required version."
    exit 1  # Installed, but version is below requirement
} else {
    Write-Host "Sentinel Agent is not installed."
    exit 1  # Not installed

Step 2: Implementing the Deduction Rule in Intune

Script Creation: Save the provided PowerShell script as a .ps1 file. This script will be the foundation of your custom deduction rule.

Intune Configuration: Access the Intune console and navigate to application deployment settings.

Add Detection Rule: While configuring the deployment, opt to add a custom detection rule. Import the previously created PowerShell script.

Microsoft Intune Deduction Rules Use a Custom detection script Paddy Maddy
  • Script name – This property enables the administrator to provide a name for the script.
  • Script file – This property enables the administrator to select a script that will be used to detect the installation of the app. When the script exit code is 0 and STDOUT contains any data, the app is detected (see table below for a summary).
  • Run script as 32-bit process on 64-bit clients – This property enables the administrator to configure the script to run in a 32-bit process (yes) or in a 64-bit process (no) on 64-bit clients.
  • Enforce script signature check – This property enables the administrator to configure that the script signature should be verified (yes) or that the signature verification should be skipped (no).

Upon integrating this script as a detection rule for a Win32 application and mandatorily distributing the said application to a user or device, the IntuneManagedExtension.log becomes a window into the installation process. This log provides a comprehensive breakdown of the steps involved in identifying the application’s installation through the evaluation of the detection rule(s). The following example serves as an illustrative guide through the sequence of appraising the detection rule(s) associated with the Win32 app. The log effectively documents the script’s initiation, its resultant outcomes, and the subsequent vigil over the detection status of the Win32 app—determined by the judgment rendered by the detection rule.

Log file to check at the client side: IntuneManagedExtension.log


Deployment Logic: The PowerShell script will assess the installed version against the defined minimum version. Devices will be categorized based on whether they meet the version requirement or not.

Deployment Outcome: Devices that meet the version requirement will be marked as successfully deployed, ensuring only compatible versions are in use.

Exploring Other Deduction Rules

In addition to version-based detection, Intune offers various other deduction rules to optimize application management:

Below is the MS Documentation

File and Folder Detection Rules: Identify applications by analyzing specific file or folder structures.

Registry Detection Rules: Detect applications based on their presence in the Windows Registry.

Custom Script Detection Rules: Craft sophisticated detection logic using PowerShell or VBScript.

MSI Product Code Detection Rules: Utilize unique identifiers associated with installed MSI packages.

Windows Installer Detection Rules: Assess applications installed via Windows Installer technology.

Custom File Detection Rules: Define detection criteria based on file properties.

Information Query Rules: Gather device information using Windows Management Instrumentation (WMI) queries.


Deduction rules play a pivotal role as the bedrock for achieving seamless application deployment within Microsoft Intune. By skillfully employing custom PowerShell scripts and embarking on an exploration of diverse deduction rule types, you not only orchestrate precise software distribution but also uphold the utmost device health, security, and compatibility standards. Whether navigating through subtle version nuances or intricately weaving through detection logic complexities, Intune equips you with a robust toolkit necessary to master the art of application deployment within the ever-evolving landscape of dynamic device management. As you embark on this transformative journey, empower your application management strategy and seamlessly streamline the deployment process by harnessing the true potential of deduction rules, artfully tailored to meet the distinct and unique requirements of your organization.

Keep in mind that the world of deduction rules is ever-evolving. As technology advances and application landscapes shift, your adaptability and continuous refinement of deduction rules will remain crucial for successful device management.

Related links

  1. Microsoft Intune Official Documentation:
  2. Microsoft Intune Blog:
  3. SentinelOne Official Website (For Context):
  4. PowerShell Documentation:

Leave a Comment